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$whoaml 


Joe Petroske, <insert 
obligatory certification 
initials here> 


Incident Handler, Target 
Cyber Fusion Center 


WHAT THIS IS *NOT* 


m The only way to do this (multiple 
stego techniques exist) 

m Novel (based on 16-year old 
research) 


m Required (commercial tools exist) 
= A tool recommendation 
= A coding workshop 


= Intended to be a language holy 
war 


What The <expletive> Are 


You Talking About? 


STEGANOGRAPHY DEFINED 


The art and science of 
concealing a hidden message 


Greek: 

steganos = covered/hidden 
graphein = writing 

Same root as Stegosaurus 
“hidden lizard” 
“Steganalysis" = the art and 
science of detecting hidden 
messages 
“Stegasauranalysis" = the 
art and science of finding 
Stegosaruses (stegasauri?) 


In this case, we will be discussing the technique of 
hiding an image file within another image file 


TERMINOLOGY 


m Payload = “the file we want to 
hide“ 


m Carrier = “the Tile tnat the 
pay load is hidden in” 


m Channel/Stegchannel/Stegfile/ 
Package = 


m “the carrier with the payload 
hidden in it” 


m eon Density = ratio of ne 


WHY IS THIS RELEVANT? 


m In this case... It's 
an interesting 
academic topic 


WHY IS THIS RELEVANT? 


= But more sinister 
applications for 
steganography exist... 


„tnat military, 


intelligence, law 
enforcement, and 
security 
practictioners would 
care about... 


WHY IS THIS RELEVANT? 


= But more sinister | | 
applications for mnm 
steganography exist... MINISTRY OF INNOVATION / BUSINESS OF TECHNOLOG 
„that military, A 
intelligence, law 


iles in plain sight, concealed in image and media files 
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enforcement, and — 
security KU 
practictioners would 

care about... 


= Terrorism 


WHY IS THIS RELEVANT? 


= But more sinister TREND. | MendLabs SB SECURI 
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steganography exist.. 


| Home | Categories 


„tnat military, 

A i Steganography and Malware: Concealing Code and C&C 
intelligence, law | Traffic 

enforcement, and o. 

security Q = 

practictioners would 


care about... 


= Malware delivery and 
control 


WHY IS THIS RELEVANT? 


= But more sinister 
applications for 
steganography exist... 


„tnat military, 
intelligence, law 
enforcement, and 
security 
practictioners would 
care about... 


wand truly awful 
things 


m SO LET'S GO DETECT SOME 
STEGANOGRAPHY 


PRELUDE: WHAT ACTUALLY *IS* AN IMAGE FILE? 
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COOL. SO WHAT'S IN THE DATA BITS? 


= Modern true-color images are 24-bit color 
o That's 3 bytes: 1 for Red, 1 for Green, 1 for Blue - 


RGB 
n (Then maybe one more byte for alpha — RGBA) 


o .bmp format is literally a map of bits 


o BED 78 9C AC GREEN | 65 D9 71 (3 pixels) 
78 Ni 


BC 169 
_ 65 pg 


m Bytewise, that’s 
. 789€ 


Whoa! That's a big number! 


HOW DO YOU HIDE A FILE WITHIN A FILE? 


24-bit color = 16,777,216 unique colors 

Yeah, but... Humans can only see about 10,000,000 
colors 

I can personally see only 24 colors 


Changing the Least Significant Bit (LSB) of each 


color channel is undetectable to human eyes 


m This is “FF4411” = This is “FE4310” 


This means that we can hide 3 bits of data in each 
pixel (out of possible 24) 


LSB STEGANOGRAPHY 


m LSB image steganography is done by 
serializing the Tile you wish to 
hide, and replacing the LSB of each 
Carrier pixel with the bits of your 


serialized file 


m If done correctly, the stegfile is 
indistinguishable from the original 
carrier image! 


m AND NOW WE HAVE A HIDDEN IMAGE THAT 
CANNOT BE DETECTED WITH THE NAKED 


EFFECTIVE COLOR PALETTE 


m There's 16777216 
(274) potential 
unique colors in a 
true-color image 


o In practice, the 
actual palette 
size is FAR 
smaller than that 


m Other than artifact 
borders, 2 adjacent 
pixels are often 


*WHY* LSB STEGO WORKS 


= If colors on an image were 
randomized, their LSBs would be 
too 
nWe just showed that is not the case 
n Many adjacent pixels are either 


identical, or WAY more different than 1 
bit per channel 


m If you consider the payload image 
to be effectively random noise... 


BIG CONCEPT, YO 


An artifact of LSB encoding is 
the creation of multiple “close 
pairs” of colored pixels 


REMEMBER THIS DOGE 


CREATION OF A CLOSE COLOR PAIR 


The 24-bit .bmp format actually stores pixels in B, G, 
R order 


Consider the following bitmap stream of 3 consecutive 
pixels: 


15 A3 E4 16 AA EO 19 9D CC 


CREATION OF A CLOSE COLOR PAIR 


m The 24-bit .bmp format actually stores pixels in B, G, 
R order 


Consider the following bitmap stream of 3 consecutive 
pixels: 

15 A3 E4 16 AA E0 19 9D CC Embed: 

OO E O wirami RAA Rd 


HO A3 


CREATION OF A CLOSE COLOR PAIR 


m The 24-bit .bmp format actually stores pixels in B, G, 


R order 
Consider the following bitmap stream of 3 consecutive 
pixels: 
15 A3 E4 16 AA E0 19 9D CC Embed: 
J 0 E I 0 1 00 yields: 
15 A2 E5 17 AA E1 18 9C CD 


HO A3 


CREATION OF A CLOSE COLOR PAIR 


m The 24-bit .bmp format actually stores pixels in B, G, 
R order 
Consider the following bitmap stream of 3 consecutive 
pixels: 
15 A3 E4 16 AA E0 19 9D CC Embed: 
J 0 E I 0 1 00 yields: 
15 A2 E5 17 AA E1 18 9C CD 


o 15 A3 = 15 A2 E5 


m 17 AA El 


= 18 9C CD 
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CLOSE COLOR PAIR, DEFINED 


if 
kh R2) < 1 && abs(G1-G1) 


Two colors (R1, Gl, Bl) and (R2, G2, B2) are a close pair 


< 1 && abs(B1-B2) < 


(u. R2)“ 2)? + (B1-B2)? 


15 A 15 A2 m 02 + 12 + (-1)2 


18 9C 


a+ Te + Elije = 


m "NE: (y k 024 (LD 
n 16 A 


Theodo MB Colors are NOT close pairs. 


ALGORITHM CREATORS 


m Jiri Friedrich, Rui Du, 
Meng Long (SUNY 
Binghamton) 
“Steganalysis of LSB 
Encoding in Color 
Images”. IEEE, 2000 


WHAT EXACTLY ARE WE TRYING TO DO HERE? 


m The goal of this 
steganalysis 
example is to 
determine, at some 
confidence level, 


that a questioned 
image contains a 
hidden 
steganographic 
pay load. 


STEGANALYSIS ALGORITHM 


m Let U = number of unique colors 
in an image 

=let P = number of close color 
pairs in the image 


a Let A = the ratio of close color 


pairs to all color pairs 
a R = P/(U/2) 


o If R is “close” to 1, higher likelihood 


that steganography is present 
(can adjust R threshold to change confidence 


interval) 


VARIABLE CONFIDENCE 


m [he more unique 
colors in the 
questioned image, the 
lower the confidence 
of steganography 


detection via close 
pair ratio 


m The bigger the size 
ratio of the payload 
file to the carrier 
file, the higher the 
confidence of 
detection 


BUT THAT STILL ISN'T GOOD ENOUGH 


m Depending on carrier 
size and encoding 
density, the ratio of 
close pairs to all 
pairs might still not 
be definitive 


Friedrich and company MM 
had a revelation | 


WHAT LSB STEGO DOES TO THE CARRIER 


=» Mentioned earlier: embedding a payload into LSBs 
essentially turn the stegchannel LSBs into random 
noise 


Ratio R = (close pairs / all color pairs) 


Friedrich*s Eureka Moment: 

If an image contains LSB stego, and you randomly 
flip the LSBs, the ratio of close pairs to all 
color pairs WON'T CHANGE MUCH FROM THAT OF THE 
ORIGINAL IMAGE 


Ratio R' = (close pairs after random LSB change / 
all color pairs after LSB change 


SO THE RATIO OF R TO R' IS YOUR DISTINGUISHER 


BIG CONCEPT, YO 


Calculate ratio R' of close pairs to all pairs 
Do it again after randomly flipping the LSBs 
Then find the ratio of those 2 ratios 


THE CLOSER THIS RATIO IS TO 1, THE HIGHER THE 
LIKELIHOOD THAT STEGANOGRAPHY IS PRESENT 


Mi VAN i 
iy Pith | 


Carrier Selection and 


Stegchannel Creation 


SELECTION OF A CARRIER IMAGE 


m To optimize ` | 
steganalysis, our 
ideal carrier file 
should be 
n Of moderate size 


compared to the 
payload 

Consisting of a 
minimal amount of 
unique pixel colors 
Does not contain an 
alpha channel 


SELECTION OF A CARRIER IMAGE 


= To optimize 

steganalysis, our 

ideal carrier file 

should be 

o Of moderate size 
compared to the 
payload 
Consisting of a | M 
minimal amount of Stryper_noalpha_20colors.b 
unique pixel colors mp 
Does not contain an fee 

pixels 

alpha channel 151 KB 


m This image has been 
posterized to use 
O uni 


CHOOSE A PAYLOAD 
m This could be ANY 
binary Tile 


m In this case, we'll 
use a .png image 


Supplies_hidden.png 
225x225 px 

99 KB 

(65% of carrier image) 


- CREATE A STEGCHANNEL 


= I used OpenStego to create my stegchannel | He 
= Plenty of free/open source tools available 
= Must be lossless. | 


Hide data in harmless looking files 


Message File 


Cover File 
(Select multiple files or provide wildcard (*, 2) to embed same message in multiple files) 
H:\LSBStego\stryper_noalpha_20colors.bmp 


Output Stego File 


Options 


u 


(te pate 


CARRIER VS STEGCHANNEL 


Carrier 


a 


151 KB BMP 
20 unique 
colors 


Stegchannel 


sb 


256 KB PNG 
1280 unique 
colors 


LET'S START THE CODE NOW 


m Ihe detection routine takes ~/mn 
to run. We'll just let it do 
that in the background. 


STEGO DETECTION ALGORITHM 


Start with a suspected 
stegchannel image 

Calculate the number of unique 
colors in the image 

Serialize the image into a 
stream of bytes 

Group the byte stream into 3- 
byte RGB color channels 

Count all RGB values that 
differ by one, from the RGB 
values of any other pixel 
(close pairs) 

Calculate ratio of close pairs 
to total unique color values 
Randomly flip the LSBs and do 
it again 

If the ratio of these 2 ratios 
is “sufficiently” close to 1.0, 


Kınhar raAantannnrn AT etnan 


TIME FOR SOME POWERSHELL 


FIRST: ACQUIRE IMAGE AND CONVERT TO A STREAM OF 
BYTES 


m Use the —encoding switch [Byte[]] $imageBytes = 
of Get-Content to get-content -encoding Byte 
convert the Tile to a -path $file 
array of bytes 


i 


vi MA EE M AA E 
O siu: R = | BL 
Nm A] 
| | E | | = BE Y | y | 
memegener 


NEXT: LOAD EACH COLOR CHANNEL INTO AN ARRAY 


Pass in the array of for ($i = 0; $i -le ($imageBytes.Length - 3); 
bytes $i = $1 +3) 

{ 
R, G, B repeats $redList.Add($imageBytes[$1]) 


every 3 bytes $greenList.Add($imageBytes[$i+1]) 
$blueList.Add($imageBytes[$i+2]) 


RANDOMIZE ALL THE LSBs 


We now need to take 
the original byte 
array, and randomize 
all of its LSBs 

We then Tind the 
ratio of close color 
pairs, to all color 
pairs, Tor THIS image 


Powershell's Get- 
Random verb comes in 
handy here 


Binary XOR with a 
single bit will 
operate only on the 
LSB 


foreach ($byte in $imageBytes) 
( 

$random = Get-Random -Maximum 2 
#returns 0 or 1 


if ($random -eq 1) 
# Binary XOR the LSB with 1 to 
# flip the LSB (otherwise leave 


-it the same) °` ` 


$byte = $byte -bxor 1 


} 
$returnList.Add($byte) 


NOW FIND ALL THE CLOSE PAIRS 


A “Close Pair" is any 
two pixels whose R, G, 
or B channels are the 
same, or off by one 

So: subtract the R, G, B 
values of 2 pixels, and 
square them to remove 
negative values 

If the sum of the 
squares of differences 
is less than or equal to 
3, we have a Close Pair 


Do this for the original 
image, and the copy with 
randomized LSBs 


if 

( ([math]::pow($deltaR,2) + 
[math]::pow($deltaG,2) + 
[math]::pow($deltaB,2) -le 3) 
—and 

([math]::pow($deltaR,2) + 
[math]::pow($deltaG,2) + 
[math]::pow($deltaB,2) -gt 0)) 


1 


$closePairs++ 


) 


MOMENT OF TRUTH 


= Divide the close pair # If the ratio is within the range of 
ratio for the original # +/- the difference between 1 and # 


I ; Threshold, likely that stego is 
image with that of the present 


randomized image if ([math]::abs($masterRatio - 1) -le 
([math]::abs($threshold - 1)) ) 


Poe { 
If this ratio D write-host "Questioned image 
“sufficiently close” to $filePath contains LSB 


1 (set by threshold), steganography, at $threshold 


steganography is present oo level. 


BACK TO STRYPER 
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Want a copy of my code? joe.petroske@target.com 
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„and now it’s John Strand Time! 


